mirrors/uv
1
0
Fork 0
mirror of https://github.com/astral-sh/uv.git synced 2025-08-04 10:58:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Implement trusted publishing (#7548)

Browse source 
Co-authored-by: Charlie Marsh <charlie.r.marsh@gmail.com>
This commit is contained in:
konsti 2024-09-24 18:07:20 +02:00 committed by GitHub
parent c053dc84f4
commit 205bf8cabe
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
22 changed files with 502 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

13
docs/reference/cli.md
View file

@ -6913,6 +6913,19 @@ uv publish [OPTIONS] [FILES]...
<p>Using a token is equivalent to passing <code>__token__</code> as <code>--username</code> and the token as <code>--password</code>. password.</p>
<p>May also be set with the <code>UV_PUBLISH_TOKEN</code> environment variable.</p>
</dd><dt><code>--trusted-publishing</code> <i>trusted-publishing</i></dt><dd><p>Configure using trusted publishing through GitHub Actions.</p>
<p>By default, uv checks for trusted publishing when running in GitHub Actions, but ignores it if it isn&#8217;t configured or the workflow doesn&#8217;t have enough permissions (e.g., a pull request from a fork).</p>
<p>Possible values:</p>
<ul>
<li><code>automatic</code>: Try trusted publishing when we&#8217;re already in GitHub Actions, continue if that fails</li>
<li><code>always</code></li>
<li><code>never</code></li>
</ul>
</dd><dt><code>--username</code>, <code>-u</code> <i>username</i></dt><dd><p>The username for the upload</p>
<p>May also be set with the <code>UV_PUBLISH_USERNAME</code> environment variable.</p>

29
docs/reference/settings.md
View file

@ -1246,6 +1246,35 @@ By default, uv will use the latest compatible version of each package (`highest`
---
### [`trusted-publishing`](#trusted-publishing) {: #trusted-publishing }
Configure trusted publishing via GitHub Actions.
By default, uv checks for trusted publishing when running in GitHub Actions, but ignores it
if it isn't configured or the workflow doesn't have enough permissions (e.g., a pull request
from a fork).
**Default value**: `automatic`
**Type**: `str`
**Example usage**:
=== "pyproject.toml"
```toml
[tool.uv]
trusted-publishing = "always"
```
=== "uv.toml"
```toml
trusted-publishing = "always"
```
---
### [`upgrade`](#upgrade) {: #upgrade }
Allow package upgrades, ignoring pinned versions in any existing output file.